applied cryptography data encryption standard
TRANSCRIPT
![Page 1: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/1.jpg)
Applied CryptographyData Encryption Standard
Sape J. Mullender
Huygens Systems Research LaboratoryUniversiteit TwenteEnschede
1
![Page 2: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/2.jpg)
History
DES has a checkered history. The book provided fascinatingreading material. In brief:
1972: National Bureau of Standards initiated a programmeto develop an encryption standard.
1974: After a second request for technology, IBM offered itsLucifer product as input. The NBS requested and got helpfrom the NSA in evaluating the input.
2
![Page 3: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/3.jpg)
1975: Details of the algorithm were published. IBM granteda nonexclusive, royalty-free licence for its use. The NBSrequested comments. Many comments concerned NSA’sinput; the key size was reduced from 128 bits to 56 bits— a trapdoor was suspected.
3
![Page 4: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/4.jpg)
History, contd.
1976: DES was adopted as a federal standard. NSA regretsits cooperation.
1977–1981: Various enhancements were published.
1983: The first five-year review of DES was succesful.
1987: NSA (with veto power obtained from Reagan) did notwant to recertify the standard. Instead it wanted to certifya series of algorithms which would remain secret. Publicoutrage prevented this and DES was recertified (but for thevery last time!)
1993: DES was recertified.
4
![Page 5: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/5.jpg)
How DES works
� Block cipher, 64-bit blocks plaintext is converted to 64-bitciphertext, using a 56-bit key (or an 8-byte key with parity— note that the parity bit is in the LSB).
� The algorithm is public; the security is in the key.� The algorithm consists of substitutions and permutations,
arranged in 16 rounds.� It is eminently suited for hardware implementations, but
reasonable software implementations can be built too.
5
![Page 6: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/6.jpg)
Overview
F
L R
K
F
L R K
F
L R K
L R
IP
IP
0 0
1 1
15 15
16 16
2
16
Plaintext
Ciphertext
K1
6
![Page 7: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/7.jpg)
The Basic Step
The basic step is reversible:
Li � Ri�1 Ri � Li�1 � F�Ri�1; Ki�
F
L R K
L’ R’ K’
F
K
K’
L’R’
LR
7
![Page 8: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/8.jpg)
The Key
During each step, the key is changed by circularly shifting each28-bit half left by either one or two bits.
After the shift, 48 bits out of the 56 are used in the one-wayfunction F .
1 or 2 bits
28 bits
56 bits
Co
mp
ression
perm
utatio
n
48 bits
8
![Page 9: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/9.jpg)
The One-Way Function
Composed of an expansion mutation, anXOR operation with the 48-bit partialkey, an S-box substitution, and a P-boxpermutation.Note, that this is a one-way function; thatis, it does not have an easily computableinverse. It doesn’t have to, because therounds are invertable even with a non-invertable one-way function.
R
R i
R i
iL
Expansion
S Box
iK48
48
32
48
32
32
32
32
32
9
![Page 10: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/10.jpg)
Expansion Permutation, S-Boxes
The expansion permutation doesn’t permute much. Bits withnumbers � 0 (mod 4) and � 1 (mod 4) are doubled, the othersare not.
32
1 48
4 5 1 8 9
5 7 2 6 8 47
The S-boxes map 6 bits down to 4. There are eight differentones. The mapping is done by table lookup; each 4-bit outputvalue is produced by 4 6-bit input values.
10
![Page 11: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/11.jpg)
P-Box Permutation
The P-Box is a straightforward permutation of the bits.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
11
![Page 12: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/12.jpg)
Encryption and Decryption
The rounds are individually reversible. This makes decryptionvery similar to encryption:
� The order of the rounds has to be reversed and, since thedifference between rounds is only the key, the sequence ofkeys has to be reversed.
� The key shifts are reversed (right shift instead of left shift).Note that the shift amounts were chosen to make the shiftaround after round 16 to where it started at round 0.
� The initial and final permutations stay where they are: theinitial permutation ‘undoes’ the final permutation so thefirst round gets the correct input.
12
![Page 13: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/13.jpg)
Modes of DES
DES is typically used in one of four modes of operation:
ECB: Electronic Codebook Mode
CBC: Cipher Block Chaining Mode
CFB: Cipher Feedback Mode
OFB: Output Feedback Mode
13
![Page 14: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/14.jpg)
Electronic Codebook Mode
Each block of 64 bits is encrypted and decrypted independentof other blocks.
A cryptanalyst with can collect plaintext/ciphertext pairs forknown plaintext, compile a ‘codebook’ and detect repetitionsof the input.
Block replay is a threat. An attacker can replace a block ofciphertext by a different one undetected by the receiver.
Solution: cipher block chaning :::
14
![Page 15: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/15.jpg)
Cipher Block Chaining Mode
Purpose is to make blocks depend on all previous blocks sothat block substitution no longer works (a checksum at theend of the message will detend tampering).
Ci � fPi � Ci�1gK Pi � Ci�1 � fCigK
Two identical messages will still encrypt the same, so aninitialization vector (a block of random bits) is chosen for C0.
Note that the IV is not secret, but that’s okay, none of theother Ci are secret either.
15
![Page 16: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/16.jpg)
Cipher Feedback Mode
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
Encrypt
Key
Shift
P C
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
Encrypt
Key
Shift
PC
An initialization vector provides the initial contents of the shiftregister.
16
![Page 17: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/17.jpg)
Output Feedback Mode
Output Feedback mode generates an input-independent one-time pad that is XOR-ed with the input stream.
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
Encrypt
Key
Shift
C
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
Encrypt
Key
Shift
PC
K K
P
17
![Page 18: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/18.jpg)
OFB Feedback Size
Output Feedback mode is not secure unless the feedback sizeequals the block size (i.e., 64 bits). The cycle time is then264 � 1. Smaller feedback sizes shorten the cycle time toapproximately 232 — not long enough.
Encrypt
Key
C
K
P
18
![Page 19: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/19.jpg)
Weak Keys
The halves of the key are shifted. If one key half consistsentirely of 1s or 0s, shifting it around won’t change it. Thiscreats a substantial weakness. The following keys, therefore,are weak:
0000000 0000000
0000000 FFFFFFF
FFFFFFF 0000000
FFFFFFF FFFFFFF
19
![Page 20: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/20.jpg)
Complement Keys
The encryption is entirely done by shifting and permutingbits and by XOR-ing. The result of shift and permute areindependent of value. Due to the propoerty of XOR, therefore:
fPgK � C a fP 0g0K � C0
where X0 is the bitwise complement of X.
20
![Page 21: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/21.jpg)
DES and Mathematics
If the DES operator formed a group over the set of inputs:
8K1; K2;9K3 : ffPgK1gK2 � fPgK3
This would imply double DES would be useless. If DES werepure:
8K1; K2; K39K4 : fffPgK1gK2gK3 � fPgK4
and triple DES would be useless.
Fortunately, DES is not a group and it is certainly not pure (oneimplies the other).
21
![Page 22: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/22.jpg)
Triple DES
Works by encrypting, decrypting and encrypting with threekeys (sometimes with two: K1; K2; K1.
P C
Encrypt Decrypt Encrypt
K1 K K32
DecryptEncryptDecrypt
22
![Page 23: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/23.jpg)
DESX
Uses whitening which makes a brute-force attack much, muchharder.
P
K
Encrypt
K1 2 1F(K 2, K )
C
F
23
![Page 24: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/24.jpg)
IDEA
Proposed in 1960, by Xuejia Lai and James Massey, IDEA isprobably the strongest block cipher around today. It usesthree basic operations on 16-bit subblocks:
: XOR
�: Addition modulo 216
�: Multiplication modulo 216 � 1
DES encrypts 64-bit data blocks with a 128-bit key. The basicstep — shown in the next slide — is repeated 8 times. Duringeach step, 6 subkeys are used.
24
![Page 25: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/25.jpg)
IDEA Basic Step
X1 X2 X3 X4
Z3
Z4
Z1
Z2
Z5
Z6
1 3X’ 2X’ X’ 4X’
Z3 Z4Z1 Z2
Outputtransformation
Oneround
25
![Page 26: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/26.jpg)
IDEA Subkeys
There are 6 subkeys for each round and 8 rounds: 48 subkeys.There are four more subkeys for the output transformation:52 keys total.
� The 128-bit key is divided into 8 16-bit subkeys.� These are used as the first 8 subkeys (6 in round 1, 2 in
round 2)� Then the key is rotated left 25-bits and is again divided into
8 subkeys (4 in round 2, 4 in round 3)� This process repeats
26
![Page 27: Applied Cryptography Data Encryption Standard](https://reader030.vdocuments.us/reader030/viewer/2022020703/61fb2c002e268c58cd5b00c4/html5/thumbnails/27.jpg)
IDEA Decryption
Steps are reversed, key is rotated right, and subkeys areadditively or multiplicatively inversed before use (this is dataindependent, so need only been done once at initialization).
27